Does Pulumi support AWS profiles set with a role_arn (example, i.e., AssumeRole)? I'd assume yes since it just calls out to AWS using Go & the default creds chain, but I'd just like to confirm. The note in the Pulumi AWS docs seems to hint Pulumi may not support this flow by default, "If you are using temporary security credentials, you will also have to supply an 

AWS_SESSION_TOKEN

 value before you can use Pulumi to create resources on your behalf."

I do it that way with typescript and temp creds coming from saml2aws. Or if you're running it on an instance that has the ability to assume other roles, you can create additional providers which will pull creds with something like (i'm sure there's a go equiv)

new aws.Provider(`${account.id}-provider`, {
            assumeRole: {
                roleArn: `arn:aws:iam::${account.id}:role/some_other_role`,
                sessionName: "PulumiSession",
            },
            region: 'us-east-1,
        })